Admin Roles
Define the Admin Roles #Create a new Admin Defining admin roles: https://live.paloaltonetworks.com/docs/DOC-5177 'Admin Roles (profiles)' Device -> Admin Roles *This page defines role profiles that define the acess and responsibilities to administrative user accounts on the firewall. *Administrators can be given rights by assigning privileges to an admin role and then assigning that role to a specific user. *'By default, All options are set to ENABLE for the web gui, XML, and CLI.' You first use the SuperUser role for the inital configuration of the device and to create the administrator accounts for the Security Admin, Audit Admin, and Cryptographic Admin. These CANNOT be modified. *'AuditAdmin' = Responsible for regular review of the firewall's audit data. *'CryptoAdmin' = Responsible for the configuration and maintenance of cryptographic elements related to the establishment of secure connections to the firewall. *'SecurityAdmin' = Responsible for all other administrative tasks (creating the firewall's security policy) not addressed by the other two admin roles. There are 3 parts to the admin role: 1. web GUI permissions (enable/read only/deny) 2. XML API permissions (enable/deny) 3.' CLI permissions' (enable/deny) CLI Permissions are limitd to a set of pre-defined roles: *'None =' No access to all options of the device and all virtual systems *'Superuser = '''All access to all options of the device and all virtual systems *'Superreader = Read-only access to all options of the device and all virtual systems *'''Deviceadmin = Same as superuser EXCEPT for creation of admin accounts and virtual systems *'DeviceReader =' Same as supperread EXCEPT for admin account and virtual systems creation information 'Administrators' *Admin accounts control access to the firewall. *Limits of the account are determined by the Role assigned to the account: Dyanmic or Role Based. *Admin Role Profiles are also assigned here. Device -> Administrators Default Admin account: Device -> Administrators -> Add The following authentication methods are supported: *'Password Authentication' - user enters user name and pw to log in. No certs required. *'Client Certification Authentication (web)' - If this box is selected, a username and pw are not required. The certificate is sufficient to authenication access to the firewall. *'Public Key Authentication (SSH)' - The user can generate a public/private key pair on the machine that requires access to the firewall, and then upload the public key to the firewall to allow secure access without requiring the user enter a username and pw. PASSWORD: -Able to set up minimum pw requirement at Device -> Setup -> Management -> Minimum Password Complexity ROLE BASED: 'Customized user-defined roles. Must Select a profile create in ''Device -> Admin Roles '''DYNAMIC: User rights are defined using the built-in roles. These permission affect both GUI and CLI. *'None =' No access to all options of the device and all virtual systems *'Superuser = '''All access to all options of the device and all virtual systems *'Superreader = Read-only access to all options of the device and all virtual systems *'''Deviceadmin = Same as superuser EXCEPT for creation of admin accounts and virtual systems *'DeviceReader =' Same as supperread EXCEPT for admin account and virtual systems creation information PASSWORD PROFILE: